We may pass your data to carefully selected third parties…

It started when I got a new Tesco credit card. The following day I went to an outlet retail park and bought a few T shirts from Cotton Traders, Craghoppers and similar stores. The next wednesday I received through the post a Craghoppers catalogue. I was intrigued. I’d used Craghoppers decades ago when I was young and fit but the only connection between me and them was my Tesco credit card. No-one in the retail park had asked for my address – they’d just taken payment. Had Tesco supplied my data to Craghoppers? I thought I’d find out. I made a subject access request to Craghoppers.

To  ‘customerservices@craghoppers.com’

Date Mon 18/04/2011 15:45

Dear Sir

My  address is xxxxxxxxxxxxxxxxxx. If you require anything further to validate this request please tell me.

Please supply me with any personal data you hold on me particularly about the mailing I have just received from you with the media code CE14 and 51574/38122A  516 in the right hand corner of the label.

Please tell me from where you obtained my address. This includes “any information available to the Data Controller as to the source of those data”. (Section 7 (1) (c) (ii) of Data Protection Act 1998).

Regards

Dear Mr xxxxxxxxx

Thank you for your recent email. The only information on our system is your name, address and details of an order you recently placed with us. It appears that until you placed this order none of your details were on our systems, this would indicate that the mailing data for the catalogue you received was sourced from a third party whom you have given permission to share your data. Your account now on our system does not have any mailing options activated.

If we can be of any further assistance please do not hesitate to contact us.

Kind regards

Craghoppers Customer Service Team

Hmmm. This says (I think) that until I bought a shirt (I’m a sucker for shirts) on Monday 18th April at 1552 they didn’t have any personal data on me at all. How then did they send me a catalogue?

I didn’t ask for my mailing options to be de-activated.

I never give my permission for a 3rd party to share my data (I am a DP freak)

It seems someone out there who is not Craghoppers sent me a Craghoppers catalogue. Hmmm… there’s work to do. Little did I realise it would mean many subject access requests and a story of subterfuge and data sharing…

Read more at  http://www.actnow.org.uk/media/articles/sar2012.pdf

Author: actnowtraining

Act Now Training is Europe's leading provider of information governance training, serving government agencies, multinational corporations, financial institutions, and corporate law firms. Our associates have decades of information governance experience. We pride ourselves on delivering high quality training that is practical and makes the complex simple. Our extensive programme ranges from short webinars and one day workshops through to higher level practitioner certificate courses delivered online or in the classroom.

Leave a Reply

%d